min
/
boring2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'master' of github.com:sfackler/rust-openssl

This commit is contained in:
Benjamin Fry 2017-01-22 22:24:45 -08:00
parent fbfecd63ae 722bdb6a4c
commit 225552b823
12 changed files with 304 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
openssl-sys/src/lib.rs
View File

@ -76,6 +76,13 @@ pub enum point_conversion_form_t {
POINT_CONVERSION_HYBRID = 6,
}
#[repr(C)]
pub struct AES_KEY {
// There is some business with AES_LONG which is there to ensure the values here are 32 bits
rd_key: [u32; 4 * (AES_MAXNR as usize + 1)],
rounds: c_int,
}
#[repr(C)]
pub struct GENERAL_NAME {
pub type_: c_int,
@ -114,6 +121,12 @@ pub type PasswordCallback = unsafe extern fn(buf: *mut c_char, size: c_int,
rwflag: c_int, user_data: *mut c_void)
-> c_int;
pub const AES_ENCRYPT: c_int = 1;
pub const AES_DECRYPT: c_int = 0;
pub const AES_MAXNR: c_int = 14;
pub const AES_BLOCK_SIZE: c_int = 16;
pub const BIO_TYPE_NONE: c_int = 0;
pub const BIO_CTRL_EOF: c_int = 2;
@ -1096,6 +1109,8 @@ pub const OCSP_RESPONSE_STATUS_TRYLATER: c_int = 3;
pub const OCSP_RESPONSE_STATUS_SIGREQUIRED: c_int = 5;
pub const OCSP_RESPONSE_STATUS_UNAUTHORIZED: c_int = 6;
pub const OPENSSL_EC_NAMED_CURVE: c_int = 1;
pub const PKCS5_SALT_LEN: c_int = 8;
pub const PKCS12_DEFAULT_ITER: c_int = 2048;
@ -1252,15 +1267,15 @@ pub const X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: c_int = 45;
pub const X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: c_int = 53;
pub const X509_V_OK: c_int = 0;
#[cfg(not(ossl101))]
#[cfg(not(any(ossl101, libressl)))]
pub const X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT: c_uint = 0x1;
#[cfg(not(ossl101))]
#[cfg(not(any(ossl101, libressl)))]
pub const X509_CHECK_FLAG_NO_WILDCARDS: c_uint = 0x2;
#[cfg(not(ossl101))]
#[cfg(not(any(ossl101, libressl)))]
pub const X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS: c_uint = 0x4;
#[cfg(not(ossl101))]
#[cfg(not(any(ossl101, libressl)))]
pub const X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS: c_uint = 0x8;
#[cfg(not(ossl101))]
#[cfg(not(any(ossl101, libressl)))]
pub const X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS: c_uint = 0x10;
pub const GEN_OTHERNAME: c_int = 0;
@ -1369,6 +1384,10 @@ pub fn ERR_GET_REASON(l: c_ulong) -> c_int {
}
extern {
pub fn AES_set_encrypt_key(userKey: *const c_uchar, bits: c_int, key: *mut AES_KEY) -> c_int;
pub fn AES_set_decrypt_key(userKey: *const c_uchar, bits: c_int, key: *mut AES_KEY) -> c_int;
pub fn AES_ige_encrypt(in_: *const c_uchar, out: *mut c_uchar, length: size_t, key: *const AES_KEY, ivec: *mut c_uchar, enc: c_int);
pub fn ASN1_INTEGER_set(dest: *mut ASN1_INTEGER, value: c_long) -> c_int;
pub fn ASN1_GENERALIZEDTIME_free(tm: *mut ASN1_GENERALIZEDTIME);
pub fn ASN1_GENERALIZEDTIME_print(b: *mut BIO, tm: *const ASN1_GENERALIZEDTIME) -> c_int;
@ -1494,6 +1513,7 @@ extern {
pub fn EC_GROUP_get_curve_GF2m(group: *const EC_GROUP, p: *mut BIGNUM, a: *mut BIGNUM, b: *mut BIGNUM, ctx: *mut BN_CTX) -> c_int;
pub fn EC_GROUP_get_degree(group: *const EC_GROUP) -> c_int;
pub fn EC_GROUP_get_order(group: *const EC_GROUP, order: *mut BIGNUM, ctx: *mut BN_CTX) -> c_int;
pub fn EC_GROUP_set_asn1_flag(key: *mut EC_GROUP, flag: c_int);
pub fn EC_GROUP_free(group: *mut EC_GROUP);

3
openssl-sys/src/ossl110.rs
View File

@ -68,6 +68,9 @@ extern {
pub fn CRYPTO_malloc(num: size_t, file: *const c_char, line: c_int) -> *mut c_void;
pub fn CRYPTO_free(buf: *mut c_void, file: *const c_char, line: c_int);
pub fn EVP_chacha20() -> *const ::EVP_CIPHER;
pub fn EVP_chacha20_poly1305() -> *const ::EVP_CIPHER;
pub fn HMAC_CTX_new() -> *mut HMAC_CTX;
pub fn HMAC_CTX_free(ctx: *mut HMAC_CTX);

115
openssl/src/aes.rs Normal file
View File

@ -0,0 +1,115 @@
//! Low level AES functionality
//!
//! The `symm` module should be used in preference to this module in most cases.
use ffi;
use std::mem;
use libc::c_int;
use symm::Mode;
#[derive(Debug)]
pub struct KeyError(());
pub struct AesKey(ffi::AES_KEY);
impl AesKey {
/// Prepares a key for encryption.
///
/// # Failure
///
/// Returns an error if the key is not 128, 192, or 256 bits.
pub fn new_encrypt(key: &[u8]) -> Result<AesKey, KeyError> {
unsafe {
assert!(key.len() <= c_int::max_value() as usize / 8);
let mut aes_key = mem::uninitialized();
let r = ffi::AES_set_encrypt_key(key.as_ptr() as *const _,
key.len() as c_int * 8,
&mut aes_key);
if r == 0 {
Ok(AesKey(aes_key))
} else {
Err(KeyError(()))
}
}
}
/// Prepares a key for decryption.
///
/// # Failure
///
/// Returns an error if the key is not 128, 192, or 256 bits.
pub fn new_decrypt(key: &[u8]) -> Result<AesKey, KeyError> {
unsafe {
assert!(key.len() <= c_int::max_value() as usize / 8);
let mut aes_key = mem::uninitialized();
let r = ffi::AES_set_decrypt_key(key.as_ptr() as *const _,
key.len() as c_int * 8,
&mut aes_key);
if r == 0 {
Ok(AesKey(aes_key))
} else {
Err(KeyError(()))
}
}
}
}
/// Performs AES IGE encryption or decryption
///
/// # Panics
///
/// Panics if `in_` is not the same length as `out`, if that length is not a multiple of 16, or if
/// `iv` is not at least 32 bytes.
pub fn aes_ige(in_: &[u8], out: &mut [u8], key: &AesKey, iv: &mut [u8], mode: Mode) {
unsafe {
assert!(in_.len() == out.len());
assert!(in_.len() % ffi::AES_BLOCK_SIZE as usize == 0);
assert!(iv.len() >= ffi::AES_BLOCK_SIZE as usize * 2);
let mode = match mode {
Mode::Encrypt => ffi::AES_ENCRYPT,
Mode::Decrypt => ffi::AES_DECRYPT,
};
ffi::AES_ige_encrypt(in_.as_ptr() as *const _,
out.as_mut_ptr() as *mut _,
in_.len(),
&key.0,
iv.as_mut_ptr() as *mut _,
mode);
}
}
#[cfg(test)]
mod test {
use hex::FromHex;
use symm::Mode;
use super::*;
// From https://www.mgp25.com/AESIGE/
#[test]
fn ige_vector_1() {
let raw_key = "000102030405060708090A0B0C0D0E0F";
let raw_iv = "000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F";
let raw_pt = "0000000000000000000000000000000000000000000000000000000000000000";
let raw_ct = "1A8519A6557BE652E9DA8E43DA4EF4453CF456B4CA488AA383C79C98B34797CB";
let key = AesKey::new_encrypt(&Vec::from_hex(raw_key).unwrap()).unwrap();
let mut iv = Vec::from_hex(raw_iv).unwrap();
let pt = Vec::from_hex(raw_pt).unwrap();
let ct = Vec::from_hex(raw_ct).unwrap();
let mut ct_actual = vec![0; ct.len()];
aes_ige(&pt, &mut ct_actual, &key, &mut iv, Mode::Encrypt);
assert_eq!(ct_actual, ct);
let key = AesKey::new_decrypt(&Vec::from_hex(raw_key).unwrap()).unwrap();
let mut iv = Vec::from_hex(raw_iv).unwrap();
let mut pt_actual = vec![0; pt.len()];
aes_ige(&ct, &mut pt_actual, &key, &mut iv, Mode::Decrypt);
assert_eq!(pt_actual, pt);
}
}

1
openssl/src/crypto.rs
View File

@ -2,4 +2,3 @@ use string::OpensslString;
#[deprecated(note = "renamed to OpensslString", since = "0.9.7")]
pub type CryptoString = OpensslString;

84
openssl/src/ec.rs
View File

@ -1,11 +1,13 @@
use ffi;
use std::ptr;
use std::mem;
use libc::c_int;
use {cvt, cvt_n, cvt_p, init};
use bn::{BigNumRef, BigNumContextRef};
use error::ErrorStack;
use nid::Nid;
use types::OpenSslTypeRef;
use types::{OpenSslType, OpenSslTypeRef};
pub const POINT_CONVERSION_COMPRESSED: PointConversionForm =
PointConversionForm(ffi::point_conversion_form_t::POINT_CONVERSION_COMPRESSED);
@ -16,9 +18,17 @@ pub const POINT_CONVERSION_UNCOMPRESSED: PointConversionForm =
pub const POINT_CONVERSION_HYBRID: PointConversionForm =
PointConversionForm(ffi::point_conversion_form_t::POINT_CONVERSION_HYBRID);
// OPENSSL_EC_EXPLICIT_CURVE, but that was only added in 1.1.
// Man page documents that 0 can be used in older versions.
pub const EXPLICIT_CURVE: Asn1Flag = Asn1Flag(0);
pub const NAMED_CURVE: Asn1Flag = Asn1Flag(ffi::OPENSSL_EC_NAMED_CURVE);
#[derive(Copy, Clone)]
pub struct PointConversionForm(ffi::point_conversion_form_t);
#[derive(Copy, Clone)]
pub struct Asn1Flag(c_int);
type_!(EcGroup, EcGroupRef, ffi::EC_GROUP, ffi::EC_GROUP_free);
impl EcGroup {
@ -80,6 +90,17 @@ impl EcGroupRef {
cvt(ffi::EC_GROUP_get_order(self.as_ptr(), order.as_ptr(), ctx.as_ptr())).map(|_| ())
}
}
/// Sets the flag determining if the group corresponds to a named curve or must be explicitly
/// parameterized.
///
/// This defaults to `EXPLICIT_CURVE` in OpenSSL 1.0.1 and 1.0.2, but `NAMED_CURVE` in OpenSSL
/// 1.1.0.
pub fn set_asn1_flag(&mut self, flag: Asn1Flag) {
unsafe {
ffi::EC_GROUP_set_asn1_flag(self.as_ptr(), flag.0);
}
}
}
type_!(EcPoint, EcPointRef, ffi::EC_POINT, ffi::EC_POINT_free);
@ -311,22 +332,18 @@ impl EcKey {
/// let key = EcKey::from_public_key(&group, &point);
/// ```
pub fn from_public_key(group: &EcGroupRef, public_key: &EcPointRef) -> Result<EcKey, ErrorStack> {
unsafe {
let key = EcKey(try!(cvt_p(ffi::EC_KEY_new())));
try!(cvt(ffi::EC_KEY_set_group(key.as_ptr(), group.as_ptr())));
try!(cvt(ffi::EC_KEY_set_public_key(key.as_ptr(), public_key.as_ptr())));
Ok(key)
}
let mut builder = try!(EcKeyBuilder::new());
try!(builder.set_group(group));
try!(builder.set_public_key(public_key));
Ok(builder.build())
}
/// Generates a new public/private key pair on the specified curve.
pub fn generate(group: &EcGroupRef) -> Result<EcKey, ErrorStack> {
unsafe {
let key = EcKey(try!(cvt_p(ffi::EC_KEY_new())));
try!(cvt(ffi::EC_KEY_set_group(key.as_ptr(), group.as_ptr())));
try!(cvt(ffi::EC_KEY_generate_key(key.as_ptr())));
Ok(key)
}
let mut builder = try!(EcKeyBuilder::new());
try!(builder.set_group(group));
try!(builder.generate_key());
Ok(builder.build())
}
#[deprecated(since = "0.9.2", note = "use from_curve_name")]
@ -338,6 +355,47 @@ impl EcKey {
private_key_from_der!(EcKey, ffi::d2i_ECPrivateKey);
}
type_!(EcKeyBuilder, EcKeyBuilderRef, ffi::EC_KEY, ffi::EC_KEY_free);
impl EcKeyBuilder {
pub fn new() -> Result<EcKeyBuilder, ErrorStack> {
unsafe {
init();
cvt_p(ffi::EC_KEY_new()).map(EcKeyBuilder)
}
}
pub fn build(self) -> EcKey {
unsafe {
let key = EcKey::from_ptr(self.as_ptr());
mem::forget(self);
key
}
}
}
impl EcKeyBuilderRef {
pub fn set_group(&mut self, group: &EcGroupRef) -> Result<&mut EcKeyBuilderRef, ErrorStack> {
unsafe {
cvt(ffi::EC_KEY_set_group(self.as_ptr(), group.as_ptr())).map(|_| self)
}
}
pub fn set_public_key(&mut self,
public_key: &EcPointRef)
-> Result<&mut EcKeyBuilderRef, ErrorStack> {
unsafe {
cvt(ffi::EC_KEY_set_public_key(self.as_ptr(), public_key.as_ptr())).map(|_| self)
}
}
pub fn generate_key(&mut self) -> Result<&mut EcKeyBuilderRef, ErrorStack> {
unsafe {
cvt(ffi::EC_KEY_generate_key(self.as_ptr())).map(|_| self)
}
}
}
#[cfg(test)]
mod test {
use bn::BigNumContext;

1
openssl/src/lib.rs
View File

@ -24,6 +24,7 @@ mod macros;
mod bio;
mod util;
pub mod aes;
pub mod asn1;
pub mod bn;
pub mod crypto;

2
openssl/src/ocsp.rs
View File

@ -141,7 +141,7 @@ impl OcspBasicResponseRef {
/// Verifies the validity of the response.
///
/// The `certs` parameter contains a set of certificates that will be searched when locating the
/// OCSP response signing certificate. Some responders to not include this in the response.
/// OCSP response signing certificate. Some responders do not include this in the response.
pub fn verify(&self,
certs: &StackRef<X509>,
store: &X509StoreRef,

4
openssl/src/ssl/mod.rs
View File

@ -828,12 +828,12 @@ impl SslContextBuilder {
/// Enables ECDHE key exchange with an automatically chosen curve list.
///
/// Requires the `v102` feature and OpenSSL 1.0.2.
#[cfg(all(feature = "v102", ossl102))]
#[cfg(all(feature = "v102", any(ossl102, libressl)))]
pub fn set_ecdh_auto(&mut self, onoff: bool) -> Result<(), ErrorStack> {
self._set_ecdh_auto(onoff)
}
#[cfg(ossl102)]
#[cfg(any(ossl102,libressl))]
fn _set_ecdh_auto(&mut self, onoff: bool) -> Result<(), ErrorStack> {
unsafe { cvt(ffi::SSL_CTX_set_ecdh_auto(self.as_ptr(), onoff as c_int)).map(|_| ()) }
}

3
openssl/src/ssl/tests/mod.rs
View File

@ -100,6 +100,7 @@ impl Server {
Server::new_tcp(&["-www"])
}
#[allow(dead_code)]
fn new_alpn() -> (Server, TcpStream) {
Server::new_tcp(&["-www",
"-nextprotoneg",
@ -1428,7 +1429,7 @@ fn status_callbacks() {
let response = OcspResponse::from_der(ssl.ocsp_status().unwrap()).unwrap();
assert_eq!(response.status(), RESPONSE_STATUS_UNAUTHORIZED);
Ok(true)
});
}).unwrap();
let mut ssl = Ssl::new(&ctx.build()).unwrap();
ssl.set_status_type(STATUS_TYPE_OCSP).unwrap();
ssl.connect(stream).unwrap();

60
openssl/src/symm.rs
View File

@ -108,6 +108,18 @@ impl Cipher {
unsafe { Cipher(ffi::EVP_rc4()) }
}
/// Requires the `v110` feature and OpenSSL 1.1.0.
#[cfg(all(ossl110, feature = "v110"))]
pub fn chacha20() -> Cipher {
unsafe { Cipher(ffi::EVP_chacha20()) }
}
/// Requires the `v110` feature and OpenSSL 1.1.0.
#[cfg(all(ossl110, feature = "v110"))]
pub fn chacha20_poly1305() -> Cipher {
unsafe { Cipher(ffi::EVP_chacha20_poly1305()) }
}
pub unsafe fn from_ptr(ptr: *const ffi::EVP_CIPHER) -> Cipher {
Cipher(ptr)
}
@ -767,4 +779,52 @@ mod tests {
&Vec::from_hex(tag).unwrap()).unwrap();
assert_eq!(pt, out.to_hex());
}
#[test]
#[cfg(all(ossl110, feature = "v110"))]
fn test_chacha20() {
let key = "0000000000000000000000000000000000000000000000000000000000000000";
let iv = "00000000000000000000000000000000";
let pt = "000000000000000000000000000000000000000000000000000000000000000000000000000000000\
00000000000000000000000000000000000000000000000";
let ct = "76b8e0ada0f13d90405d6ae55386bd28bdd219b8a08ded1aa836efcc8b770dc7da41597c5157488d7\
724e03fb8d84a376a43b8f41518a11cc387b669b2ee6586";
cipher_test(Cipher::chacha20(), pt, ct, key, iv);
}
#[test]
#[cfg(all(ossl110, feature = "v110"))]
fn test_chacha20_poly1305() {
let key = "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f";
let iv = "070000004041424344454647";
let aad = "50515253c0c1c2c3c4c5c6c7";
let pt = "4c616469657320616e642047656e746c656d656e206f662074686520636c617373206f66202739393\
a204966204920636f756c64206f6666657220796f75206f6e6c79206f6e652074697020666f722074\
6865206675747572652c2073756e73637265656e20776f756c642062652069742e";
let ct = "d31a8d34648e60db7b86afbc53ef7ec2a4aded51296e08fea9e2b5a736ee62d63dbea45e8ca967128\
2fafb69da92728b1a71de0a9e060b2905d6a5b67ecd3b3692ddbd7f2d778b8c9803aee328091b58fa\
b324e4fad675945585808b4831d7bc3ff4def08e4b7a9de576d26586cec64b6116";
let tag = "1ae10b594f09e26a7e902ecbd0600691";
let mut actual_tag = [0; 16];
let out = encrypt_aead(Cipher::chacha20_poly1305(),
&Vec::from_hex(key).unwrap(),
Some(&Vec::from_hex(iv).unwrap()),
&Vec::from_hex(aad).unwrap(),
&Vec::from_hex(pt).unwrap(),
&mut actual_tag)
.unwrap();
assert_eq!(ct, out.to_hex());
assert_eq!(tag, actual_tag.to_hex());
let out = decrypt_aead(Cipher::chacha20_poly1305(),
&Vec::from_hex(key).unwrap(),
Some(&Vec::from_hex(iv).unwrap()),
&Vec::from_hex(aad).unwrap(),
&Vec::from_hex(ct).unwrap(),
&Vec::from_hex(tag).unwrap())
.unwrap();
assert_eq!(pt, out.to_hex());
}
}

23
openssl/src/x509/tests.rs
View File

@ -1,8 +1,11 @@
use hex::{FromHex, ToHex};
use ec::{NAMED_CURVE, EcGroup, EcKey};
use hash::MessageDigest;
use nid::X9_62_PRIME256V1;
use pkey::PKey;
use rsa::Rsa;
use ssl::{SslMethod, SslContextBuilder};
use x509::{X509, X509Generator};
use x509::extension::Extension::{KeyUsage, ExtKeyUsage, SubjectAltName, OtherNid, OtherStr};
use x509::extension::AltNameOption as SAN;
@ -197,3 +200,23 @@ fn issued() {
ca.issued(&cert).unwrap();
cert.issued(&cert).err().unwrap();
}
#[test]
fn ecdsa_cert() {
let mut group = EcGroup::from_curve_name(X9_62_PRIME256V1).unwrap();
group.set_asn1_flag(NAMED_CURVE);
let key = EcKey::generate(&group).unwrap();
let key = PKey::from_ec_key(key).unwrap();
let cert = X509Generator::new()
.set_valid_period(365)
.add_name("CN".to_owned(), "TestServer".to_owned())
.set_sign_hash(MessageDigest::sha256())
.sign(&key)
.unwrap();
let mut ctx = SslContextBuilder::new(SslMethod::tls()).unwrap();
ctx.set_certificate(&cert).unwrap();
ctx.set_private_key(&key).unwrap();
ctx.check_private_key().unwrap();
}

1
systest/build.rs
View File

@ -47,6 +47,7 @@ fn main() {
.header("openssl/rand.h")
.header("openssl/pkcs12.h")
.header("openssl/bn.h")
.header("openssl/aes.h")
.header("openssl/ocsp.h");
cfg.type_name(|s, is_struct| {
// Add some `*` on some callback parameters to get function pointer to